Category: vpn

Basically the Maximum Transfer Unit (MTU) is the limit for fragmentation. When a packet has greater MTU size than the MTU size of the outgoing interface, the network device will start fragmenting that packet.

In case DF (Don’t Fragment) bit is set and the packet size is bigger than the IP MTU size, then the packet is going to be dropped.

What can you do when DF bit is set on the incoming packets and the outgoing interface can only handle 1500 bytes MTU?

To prevent packet drops, you can configure the Maximum Segment Size (MSS) on any intermediate interface. When 2 endpoints start communication (3 way handshake) they look for the lowest MSS value on the network (between ClientA and B).
If you want to configure the MSS you must know about all of the protocols that make overhead.By default: MSS = MTU (1500) –IP header (20) – TCP header (20)

Here is another example with VPN (the overhead size depends on IPsec config):

If you leave the IP MTU on default setting (1500 bytes), then every packet is going to be fragmented since the IPSec overhead increases the packet MTU size to 1572. To prevent fragmentation you have 2 options:

Configure interface MTU to 1572:

(global)#interface Gi0/0
(interface)#ip mtu 1572

This way the packet MTU size would not exceed the IP MTU size and fragmentation would not happen.

This way the endpoint devices would load 1388 bytes of data into the packets so when the network devices add their overhead (IP, TCP…) it would not exceed 1500 bytes.

Note

There is an important difference between the “mtu” and the “ip mtu” command:

mtu: This command configures the Layer 2 MTU.
The L2 MTU is the maximum packet size that the interface supports. The L2 MTU does not include the Ethernet header and trailer. If the interface receives something that exceeds the L2 MTU, then it will be dropped. (Recommended to configure the same values on both sides.)

ip mtu: This is the margin of fragmentation.

If you configure L2 MTU (mtu 1600) then the IP MTU will have the same value.
However you can specify the IP MTU statically: ip mtu 1550

This would mean that fragmentation happen above 1550 bytes and the interface can handle packets with a size of 1600 bytes (ie.: MPLS packet)

Testing

ping

On Cisco devices you can ping with different packet size and also use the Don’t Fragment bit.
ICMP only.

iperf

iperf is a tool for generating TCP / UDP traffic.
You need to install iperf on both end points (Client / Server).
However you have many possibilities to generate traffic, using different ports etc. but DF bit cannot be set.
Example:

Server:#iperf -sClient:
#iperf -p 80 -c 10.1.1.1

nping

nping is a part of nmap. It is capable to generate ICMP / TCP / UDP traffic with many options including Don’t Fragment bit.

For simple TCP traffic generation you do not need a Client / Server solution. One Client and a destination network device is enough:(Note: root / sudo privilege is needed to run nping)

This response means that the generated packet’s MTU size is higher than the interface MTU size (interface# mtu <value>) of one of the network components.

You might receive a similar response but with an error message of: “Fragmentation needed“.
In that case the interface MTU is high enough but the IP MTU (interface# ip mtu <value>) is lower than the packet’s MTU. Since –df parameter is used, the network device cannot fragment the packet.

Types of VPN

MPLS: When a company has 2 or more sites with logical connectivity using the service providers network.

2 main types of VPN

Remote access vpn: Connection of a host and a site.

Site-to-Site vpn: Connection of 2 or more sites.

Main concepts

Confidentiality (encryption): The payload is cipher (scrambled) so it cannot be eavesdropped.

Data Integrity (hashing): The attacker cannot inject data into the packets. The payload will be the same at the destination.

Authentication (check identity): This ensures you that at the beginning of the VPN connection you connects to the right computer.

Antireplay: The attacker can replay a part of the VPN traffic and this way build a VPN to the victim computer (Authentication fail). This is why a VPN packet has been sent and accounted it cannot be used again.

Terminology

Cipher: Also called as algorythm which performs encryption and decryption.

Block Ciphers (AES, 3DES, DES, Blowfish, IDEA): They are using symmetric key on a group of bits: block. 64-bit block –> 64-bit block of cipher text.

Stream Ciphers: Also using symmetric key and encrypting 1 bit at a time.

Symmetric and Asymmetric Algorithms

Asymmetric

These type of encryption is used in the beginning of the communication. The 2 party agrees which symmetric key they are going to use for the communication and for this talk they use asymmetric encryption.

RSA: Similar to DH. Mostly used for authentication. 512 to 2048 bits (min 1024 recommended)

Asymmetric keys are very strong but need lots of computing power, that is why we use symmetric keys for transferring data.

Symmetric

Uses the same key to encrypt and decrypt the data. In this case both devices need the key to communicate. Much faster than Asymmetric keys. The usual key length is 40 to 256 bits.

DES

3DES

AES: 128, 192, 256 bit keys

Hashing

Hashing a block of data will create a small fixed-sized hash value. This is one way function. If you hash the same block of data on another computer you will get the same fixed-sized hash value. This result is called digest.

MD5: Creates 128-bit digest

SHA-1: Cretaes 160-bit digest

SHA-2: Can create digest between 224 and 512 bits.

Authentication

Pre-shared keys (PSK)

In the beginning of the communication the 2 parties send a hashed password to ensure they are talking to the right device.

Cons: These passwords need to be changed from time to time (local pass..) and in case of a big network its a pain…

Digital Signatures

Public Key Infrastructure (PKI)
Here the Certificate Authority gives all devices a certificate.

Digital Certificate in action

Two devices that want to establish a VPN connection to each other, and to do so they want to use digital signatures to verify each other to make sure they are talking to the right device.
Bob and Lois have generated public-private key pairs, and they both have been given digital certificates from a common certificate authority (CA) . A CA is a trusted entity that hands out digital certificates.
If you and I were to open a digital certificate, we would find the name of the entity (for example, Bob). We would find Bob’s public key (which Bob gave to the CA when he applied for his digital certificate). There would also be a digital signature of the CA.

Bob takes a packet and generates a hash. Bob then takes this small hash and encrypts it using Bob’s private key. We attach this encrypted hash to the packet and send it to Lois. There is a fancy name for this encrypted hash: a digital signature .Lois when she receives this packet looks at the encrypted hash that was sent and she decrypts it using Bob’s public key. She then sets the decrypted hash off to the side for one moment and she runs the same hash algorithm on the packet she just received. If the hash she just calculated matches the hash she received, she knows two things. She knows the only person who could have encrypted that was Bob with Bob’s private key, and that data integrity on the packet is solid, because if 1 bit had changed the hash would not have matched.
This process is called authentication , using digital signatures, and normally happens in both directions with an IPsec VPN tunnel if the peers are using digital signatures for authentication,referred to as rsa-signatures in the configuration.

Bob and Lois also exchanged digital certificates, which contained each other’s public keys. Bob and Lois do not just trust any certificates, but they do trust certificates that are digitally signed by a CA that they trust. This also implies that to verify digital signatures from the CA, both Bob and Lois would also need the CA’s public key.Most browsers today have the built-in certificates and public keys for the mainstream CAs on the Internet today.

SSL (Secure Sockets Layer)

Mainly used for HTTPS and remote-access-vpn. For IPSec everybody need a client software but it is not necessary for SSL. Even if all had IPSec client software not everyone has a digital cert or PSK.

To use SSL the user connects to an SSL server (webserver with SSL support) by HTTPS. When the browser request the webserver to identify itself it sends a copy of its digital cert (SSL certificate). The browser check the digital signature of the CA. If it trust the cert it will use the webservers public key.

Fundamentals of PKI

Enrolling cert in nutshell

Same example Bob and Lois. Both of them creates a public and private key. The CA creates a Digital Certification using each of their public key, IP address, name plus the CA gives a digital signature on the Digital Cert.

Using the certs:

They exchange the digital certs and each of them checks it with the CA. If the CA digital signature is OK they will use the public key which is in the digital cert.

Root Certificate

This contains the public key of the CA server and some more information about it.

Identity certificate

An identity certificate is similar to a root certificate, but it describes the client and contains the public key of an individual host (the client)

As a review, most digital certificates contain the following information:■ Serial number: Assigned by the CA and used to uniquely identify the certificate■ Subject: The person or entity that is being identified■ Signature algorithm: The specific algorithm that was used for signing the digital
certificate
■ Signature: The digital signature from the certificate authority, which is used by
devices that want to verify the authenticity of the certificate issued by that CA
■ Issuer: The entity or CA that created and issued the digital certificate■ Valid from: The date the certificate became valid■ Valid to: The expiration date of the certificate■ Key usage: The functions for which the public key in the certificate may be used■ Public key: The public portion of the public and private key pair generated by the
host whose certificate is being looked at■ Thumbprint algorithm: The hash algorithm used for data integrity
■ Thumbprint: The actual hash■ Certificate revocation list location: The URL that can be checked to see whether
the serial number of any certificates issued by the CA have been revoked

Authenticating and Enrolling with the CA

First we need to authenticate the CA and for this we need to get the root certificate (it contains the public key of the CA).

Second step is creating our own identity certificate. We need to generate a public-private key pair and give the public key to the CA (plus some more info). The CA will generate the identity cert (give their digital signature on it) and send it back. This we can use.